Close Menu
Crypto Breaking News
    Crypto Breaking News
    • News
      • Press Release
      • Featured
      • Events
      • Exchanges
      • Bitcoin
      • Ethereum
      • Solana
      • Ripple
      • Artificial Intelligence (AI)
      • Real World Assets (RWA)
      • Markets & Finance
      • Regulation & Policy
      • Press Releases by PR Newswire
      • News by CoinPedia
      • News by Coincu
      • News by Blockchain Wire
    • Crypto
      • Companies
      • Events
      • Partners
      • Buy Crypto
      • Timers
    • Advertise
      • Submit a Press Release
      • Logos
      • About
      • Services
    • Offers
      • Marketing Services
      • Wallets & Tools
    • Account
    • Video
    • Contact
    Submit PR
    Crypto Breaking News
    Altcoins Bitcoin Crypto News Exchanges

    Telegram Session Hijacking Used in macOS Malware to Steal Crypto Wallets

    25 seconds ago
    FacebookTwitterLinkedInCopy Link
    News Feed
    Google NewsRSS
    Telegram Session Hijacking Used In Macos Malware To Steal Crypto Wallets
    Telegram Session Hijacking Used In Macos Malware To Steal Crypto Wallets

    A macOS information-stealing malware can compromise cryptocurrency holdings by hijacking Telegram Desktop sessions and extracting wallet data, according to blockchain security firm SlowMist. The attack is notable because it focuses on taking over already-authenticated local sessions and stealing sensitive credentials, rather than relying solely on intercepting new logins.

    SlowMist says the malware harvests data from multiple sources on an affected Mac, including Apple’s Keychain, Safari cookies, Apple Notes, Telegram Desktop and wallet databases tied to more than a dozen crypto wallets. After collecting credentials and authenticated session material, attackers can use the stolen information to access wallets and potentially execute account takeovers.

    Key takeaways

    • SlowMist reports a macOS malware chain that combines credential theft, browser/session harvesting, and wallet database extraction.
    • Telegram two-step verification may not stop the attack because the malware reuses an existing authenticated Telegram Desktop session on the device.
    • The malware targets both software wallets (such as Exodus, Atomic, Electrum, Wasabi, and Monero) and hardware wallet companion apps (Ledger Live and Trezor Suite).
    • Defenders’ best near-term steps include terminating Telegram sessions, re-authenticating on a trusted device, and rotating wallet recovery phrases and assets to new addresses.

    How the Telegram session hijack works

    SlowMist’s assessment centers on the malware’s ability to work through already-established authentication. Rather than forcing a new Telegram login flow—which would typically require re-entering a phone number, verification code, and two-step verification password—the malware appears to leverage the authenticated session stored locally by Telegram Desktop.

    In its reproduced testing, SlowMist says researchers restored stolen Telegram Desktop session data on another Mac without needing to repeat the normal verification steps, including entering a phone number or two-step verification password. That means even users who believe their Telegram protections are strong may still face risk if their device has already been compromised.

    For crypto users who rely on Telegram to manage accounts, coordinate transfers, or receive wallet-related approvals, this matters: a session takeover can enable attackers to impersonate the user, obtain access to conversations and any linked operational details, and facilitate subsequent wallet-focused actions.

    What data the malware harvests on macOS

    SlowMist reports that the malware gathers a range of sensitive information from the compromised system. The company specifically points to macOS Keychain data, Safari cookies, Apple Notes, and Telegram Desktop. It also looks for cryptocurrency wallet data stored on the device.

    Beyond user credentials and browser artifacts, the malware also targets stored wallet databases and related wallet extension data. SlowMist says that after collection, attackers copy authenticated session data, wallet databases, and browser wallet extension information—creating multiple paths for wallet access depending on the wallet type and local storage structure.

    The combined approach is important because it increases the odds of success. Instead of betting on a single weakness, the malware can pursue credential-based decryption and offline wallet database recovery, or it can aim at social engineering and application replacement—two methods that can operate even if one fails.

    Wallet targets: from desktop software to hardware app companions

    According to SlowMist, the malware targets both common software wallets and applications associated with hardware wallets. On the software side, it names Exodus, Atomic, Electrum, Wasabi and Monero. On the hardware side, it includes Ledger Live and Trezor Suite—suggesting the malware aims to compromise not only keys stored by desktop apps, but also the companion software environments used to interact with hardware wallets.

    SlowMist also says the malware searches for wallet data stored by full-node clients. It lists Bitcoin Core, Litecoin Core, Dash Core, and Dogecoin Core as examples, implying that systems running these services may contain wallet-related data that the attacker can harvest.

    This breadth means affected users may not realize they are at risk simply because they don’t use one of the “headline” wallets. Anyone who stores wallet data locally, uses wallet-related companion apps, or keeps backups and recovery material on the same device could be exposed depending on what the malware detects and copies.

    Two ways attackers can turn stolen data into theft

    SlowMist describes two primary endgame strategies after the data theft phase.

    First, attackers can attempt to decrypt stolen wallet databases offline using passwords taken from the infected device. If the malware successfully extracts the credentials needed to unlock local wallet storage, offline decryption reduces the attacker’s dependence on live access or additional compromise steps.

    Second, SlowMist says attackers may replace legitimate Ledger and Trezor applications with fake versions designed to trick users into entering recovery phrases. This shifts the attack from purely technical compromise to user deception, leveraging the fact that many users will naturally follow prompts in trusted-looking wallet software.

    SlowMist states that it reproduced the full attack chain in an isolated environment, supporting the firm’s characterization of how the different components can work together—from data collection through to potential wallet manipulation.

    What users should do if they suspect compromise

    SlowMist urged users who suspect their devices have been compromised to take immediate containment steps. The firm recommends terminating existing Telegram Desktop sessions, establishing a new trusted login, and then changing both the Telegram two-step verification password and the Telegram Desktop Passcode.

    For wallet security, SlowMist advises users to generate a new recovery phrase on a clean device and move all assets to new addresses. The underlying logic is straightforward: if a recovery phrase or wallet database may be recoverable by an attacker, treating existing addresses as potentially compromised helps reduce the chance of future unauthorized access.

    Given the malware’s emphasis on authenticated sessions and local credential harvesting, the safest remediation tends to focus on “breaking the chain” on the infected device—re-authenticating critical services and rebuilding wallet access from a clean environment rather than attempting to patch individual components.

    Going forward, investors and everyday users alike should watch for signs of Telegram session abnormality (unexpected activity, sudden device prompts, or account behavior) and treat any macOS security incident as potentially wallet-relevant. The key uncertainty remains how widely such malware campaigns are deployed in the wild—but SlowMist’s findings offer a clear blueprint for why device compromise, not just exchange security, can determine the outcome of a crypto theft attempt.

    Risk & affiliate notice: Crypto assets are volatile and capital is at risk. This article may contain affiliate links. Read full disclosure

    Crypto Breaking News
    • Website
    • Facebook
    • X (Twitter)
    • Pinterest
    • Instagram
    • Tumblr
    • LinkedIn

    The Crypto Breaking News editorial team curates the latest news, updates, and insights from the global cryptocurrency and blockchain industry.

    Related Posts

    Mica Licensing Faces Delays As Esma Adds 14 Casps To Register

    MiCA Licensing Faces Delays as ESMA Adds 14 CASPs to Register

    1 hour ago
    Sbi Completes Coinhako Acquisition After Mas Regulatory Approval

    SBI Completes Coinhako Acquisition After MAS Regulatory Approval

    2 hours ago
    Warren Seeks 2026 Reports On Trump Crypto Earnings After $1.4b Disclosure

    Warren Seeks 2026 Reports on Trump Crypto Earnings After $1.4B Disclosure

    3 hours ago
    Bolivia Weighs Usdt As Crypto Mining’s Ai Shift Draws Scrutiny

    Bolivia Weighs USDT as Crypto Mining’s AI Shift Draws Scrutiny

    4 hours ago
    Galaxy Secures 15-Year Naming Rights For Texas Tech Stadium

    Galaxy Secures 15-Year Naming Rights for Texas Tech Stadium

    5 hours ago
    Ftx Recovery Trust Approves $900m Creditor Payout In Round 5

    FTX Recovery Trust Approves $900M Creditor Payout in Round 5

    6 hours ago

    Search Crypto News

    Featured Crypto News

    Latest News

    • Telegram Session Hijacking Used in macOS Malware to Steal Crypto Wallets
    • MiCA Licensing Faces Delays as ESMA Adds 14 CASPs to Register
    • SBI Completes Coinhako Acquisition After MAS Regulatory Approval
    • Warren Seeks 2026 Reports on Trump Crypto Earnings After $1.4B Disclosure
    • Bolivia Weighs USDT as Crypto Mining’s AI Shift Draws Scrutiny
    • Galaxy Secures 15-Year Naming Rights for Texas Tech Stadium
    • FTX Recovery Trust Approves $900M Creditor Payout in Round 5
    • FTX to Send $900M to Creditors in Fifth Distribution Round
    • Stablecoins Gain Share as Dollar Liquidity Dries Up
    • Galaxy Secures 15-Year Texas Tech Stadium Naming Rights Deal

    Join 20,000+ Crypto Followers

    • Facebook2.4K
    • Twitter4.5K
    • Instagram7.2K
    • LinkedIn4.3K
    • Telegram55
    • Threads1000
    Bitcoin Asia 2026

    About Crypto Breaking News

    About Crypto Breaking News

    Crypto Breaking News is a fast-growing digital media platform focused on the latest developments in cryptocurrency, blockchain, and Web3 technologies. Our goal is to provide fast, reliable, and insightful content that helps our readers stay ahead in the ever-evolving digital asset space.

    Web3 Digital L.L.C-FZ
    License Number: 2527596
    📞 +971 50 449 2025
    ✉️ info@cryptobreaking.com
    📍Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, United Arab Emirates

    FacebookX (Twitter)InstagramPinterestYouTubeTumblrBlueskyLinkedInRedditTikTokTelegramThreadsRSS

    Links

    • Crypto News
    • Submit a Press Release
    • Advertise
    • Contact Us
    • Privacy Policy
    • Disclaimer
    • Terms and Conditions
    • Stocks Breaking News

    advertising

    eToro Crypto 300x300
    © 2026 CryptoBreaking.com | All rights reserved | Powered by Web3 Digital & Osom One

    Type above and press Enter to search. Press Esc to cancel.

    Change Location
    Find awesome listings near you!